From: Jeff Mahoney <jeffm@suse.com>
To: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: grundler@parisc-linux.org, kyle@mcmartin.ca,
linux-kernel@vger.kernel.org, security@kernel.org
Subject: Re: [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory
Date: Wed, 15 Sep 2010 11:42:40 -0400 [thread overview]
Message-ID: <4C90E970.6020700@suse.com> (raw)
In-Reply-To: <AANLkTiki4bNP83B2WEPcKnnDqHibxqYyi6V2CjiG9GEO@mail.gmail.com>
On 09/11/2010 07:46 PM, Dan Rosenberg wrote:
> The DE4X5_GET_REG device ioctl allows unprivileged users to read 32
> bytes of uninitialized stack memory, because it copies the
> uninitialized "addr" member instead of the intended "lval" member.
> This patch takes care of it.
>
> Signed-off-by: Dan Rosenberg<dan.j.rosenberg@gmail.com>
No. This patch may be considered for correctness, but there's no
security issue here.
'tmp' is a union, not a struct. Writes to lval are the same as writes to
addr. The length is correctly determined so that only initialized memory
is used.
-Jeff
> --- linux-2.6.35.4.orig/drivers/net/tulip/de4x5.c 2010-09-11
> 19:12:27.000000000 -0400
> +++ linux-2.6.35.4/drivers/net/tulip/de4x5.c 2010-09-11 19:17:12.000000000 -0400
> @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
> tmp.lval[6] = inl(DE4X5_STRR); j+=4;
> tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
> ioc->len = j;
> - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
> + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
> break;
>
> #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Jeff Mahoney
SUSE Labs
prev parent reply other threads:[~2010-09-15 15:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-11 23:46 [PATCH] drivers/net/tulip/de4x5.c: prevent reading uninitialized stack memory Dan Rosenberg
2010-09-14 19:36 ` Grant Grundler
2010-09-15 15:42 ` Jeff Mahoney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C90E970.6020700@suse.com \
--to=jeffm@suse.com \
--cc=dan.j.rosenberg@gmail.com \
--cc=grundler@parisc-linux.org \
--cc=kyle@mcmartin.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.